Import Debian changes 1.1.8-3.6

pam (1.1.8-3.6) unstable; urgency=medium

  * Non-maintainer upload.
  * cve-2015-3238.patch: Add the changes in the generated pam_exec.8
    and pam_unix.8 in addition to (and after) the changes to the
    source .xml files. This avoids unwanted rebuilds that can cause
    problems due to differing files on different architectures of
    the Multi-Arch: same libpam-modules. (Closes: #851545)

1 files changed, 26 insertions, 0 deletions

diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
index 7c75ee5c..cb5e8c06 100644
--- a/debian/patches-applied/cve-2015-3238.patch
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -152,3 +152,29 @@ index fdb45c2..abccd82 100644
  	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
  	      retval = PAM_AUTH_ERR;
  	    }
+--- a/modules/pam_unix/pam_unix.8	2017-05-27 15:38:27.000000000 +0000
++++ b/modules/pam_unix/pam_unix.8	2017-05-27 15:34:49.000000000 +0000
+@@ -56,6 +56,10 @@
+ \fBnoreap\fR
+ module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
+ .PP
++The maximum length of a password supported by the pam_unix module via the helper binary is
++\fIPAM_MAX_RESP_SIZE\fR
++\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&.
++.PP
+ The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the
+ \fBENCRYPT_METHOD\fR
+ variable from
+--- a/modules/pam_exec/pam_exec.8	2017-05-27 15:38:27.000000000 +0000
++++ b/modules/pam_exec/pam_exec.8	2017-05-27 15:56:25.000000000 +0000
+@@ -65,7 +65,9 @@
+ \fBexpose_authtok\fR
+ .RS 4
+ During authentication the calling command can read the password from
+-\fBstdin\fR(3)\&.
++\fBstdin\fR(3)\&. Only first
++\fIPAM_MAX_RESP_SIZE\fR
++bytes of a password are provided to the command\&.
+ .RE
+ .PP
+ \fBlog=\fR\fB\fIfile\fR\fR